Project

General

Profile

Bug #11023

route_get('default', 'inet') always returns empty

Added by Christian Knop 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Category:
Routing
Target version:
Start date:
10/31/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
amd64
Release Notes:
Default

Description

ip address is missing [NAMECHEAP_SOURCEIP]

test.com
Renewing certificate
account: testing
server: letsencrypt-staging-2

/usr/local/pkg/acme/acme.sh --issue --domain '*.test.com' --dns 'dns_namecheap' --home '/tmp/acme/test.com/' --accountconf '/tmp/acme/test.com/accountconf.conf' --force --reloadCmd '/tmp/acme/test.com/reloadcmd.sh' --log-level 3 --log '/tmp/acme/test.com/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NAMECHEAP_SOURCEIP] =>
[NAMECHEAP_API_KEY] => XXXXXX
[NAMECHEAP_USERNAME] => XXXXXX
)
[Sat Oct 31 11:27:26 CET 2020] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Oct 31 11:27:26 CET 2020] Single domain='*.test.com'
[Sat Oct 31 11:27:26 CET 2020] Getting domain auth token for each domain
[Sat Oct 31 11:27:29 CET 2020] Getting webroot for domain='*.test.com'
[Sat Oct 31 11:27:29 CET 2020] Adding txt value: XXXXXXXXXXXXXXX for domain: _acme-challenge.test.com
[Sat Oct 31 11:27:29 CET 2020] No Source IP specified for Namecheap API.
[Sat Oct 31 11:27:29 CET 2020] Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP
[Sat Oct 31 11:27:29 CET 2020] Error add txt for domain:_acme-challenge.test.com
[Sat Oct 31 11:27:29 CET 2020] Please check log file for more details: /tmp/acme/test.com/acme_issuecert.log

pfsense.png (28.9 KB) pfsense.png Christian Knop, 11/03/2020 11:08 AM
log fit.png (88.3 KB) log fit.png Christian Knop, 11/03/2020 11:08 AM
vip nachher.png (26.9 KB) vip nachher.png Christian Knop, 11/03/2020 11:08 AM
vip vorher.png (23.6 KB) vip vorher.png Christian Knop, 11/03/2020 11:08 AM

History

#1 Updated by Christian Knop 5 months ago

can the domain cause the problem? a .net works and a .fit and a .vip cause the error.

#2 Updated by Jim Pingle 5 months ago

  • Assignee set to Jim Pingle
  • Target version deleted (2.5.0)

#3 Updated by Jim Pingle 5 months ago

  • Project changed from pfSense Packages to pfSense
  • Subject changed from Acme DNS Namecheap -> no [NAMECHEAP_SOURCEIP] to route_get('default', 'inet') always returns empty
  • Category changed from ACME to Routing
  • Status changed from New to Feedback
  • Assignee changed from Jim Pingle to Renato Botelho
  • Target version set to 2.5.0

Actually this isn't a problem in ACME, it's a problem in a base system function which only exists on 2.5.0.

route_get('default', 'inet') always returns empty.

Renato has a fix in already, b1558574e69965ea68744ad355a60842ca8294ea

#4 Updated by Christian Knop 5 months ago

I am surprised that it is not ACME. I tested ACME on Ubuntu 20.04.1 and sometimes the same problem. I suspect a problem with multiple domains on one public ip. tomorrow I will test whether the 1st domain is always possible and not every other With 3 domains, 1 is always possible, so it is not due to .fit or .vip domains.

#5 Updated by Christian Knop 5 months ago

Under Ubuntu I entered my public ip by hand in the config and was able to solve the problem with it.

However, there were curl errors under ubuntu but not in the 1st domain. i am convinced that there are problems with 1 public ip and the generation for multiple domains.

#6 Updated by Renato Botelho 5 months ago

Christian Knop wrote:

Under Ubuntu I entered my public ip by hand in the config and was able to solve the problem with it.

However, there were curl errors under ubuntu but not in the 1st domain. i am convinced that there are problems with 1 public ip and the generation for multiple domains.

Sorry, I'm confused. Is the problem resolved on pfSense? OR you are still able to reproduce it?

#7 Updated by Christian Knop 5 months ago

I just looked to see if the same error existed under ubuntu.

#8 Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Resolved

The specific error "No Source IP specified for Namecheap API" was due to a bug in the routing code as I mentioned. It was not populating that variable correctly since it was getting an empty response when looking up the default gateway. That was fixed, and now Namecheap works again.

Nothing else mentioned after that is relevant to this particular error. You might have hit something new in ACME that is unrelated, but if so it probably needs reported to acme.sh and not us.

#9 Updated by Christian Knop 5 months ago

Many thanks for the support. The gateway ip is now correctly recognized.

I have now found the other bug. The 1st domain in Acme works. For each additional domain, 2 instead of 1 DNS .txt are generated.

#10 Updated by Christian Knop 5 months ago

All 3 domains are with Namecheap. 3 different endings .net, .fit and .vip. It doesn't matter in which order the domains are created in Acme, only the 1st from the list works.

#11 Updated by Jim Pingle 5 months ago

That is not relevant to this bug report, and is likely a problem in the script maintained by acme.sh and not us.

#12 Updated by Christian Knop 5 months ago

I tried the following https://chasingcode.dev/blog/fix-curl-error-60-ssl-certificate-problem/. The entry in the php.ini is overwritten after each reboot.

#13 Updated by Christian Knop 5 months ago

ow to fix cURL error 60: SSL certificate problem
Narendra Vaghela
Narendra Vaghela
Sep 1, 2016·1 min read

Sometimes, when we make a curl call to third party services, we get an error curl: (60) SSL certificate : unable to get local issuer certificate.

This error occurs because the curl verifies and makes a secure connection request using self-signed certificate. When it does not find the valid certificate, it throws an error.

To fix this error, follow the steps below:

Open http://curl.haxx.se/ca/cacert.pem
Copy the entire page and save it as a “cacert.pem”
Open your php.ini file and insert or update the following line.
curl.cainfo = “[pathtofile]cacert.pem”

#14 Updated by Jim Pingle 5 months ago

Stop posting to this bug report. The one single issue for this report is resolved. If you have some other issue, it does not belong here as it is not related. Please post to the forum to discuss the problem, not here.

#15 Updated by Christian Knop 5 months ago

Jim Pingle wrote:

That is not relevant to this bug report, and is likely a problem in the script maintained by acme.sh and not us.

oh sorry, i thought the script is specially adapted for pfsense.

Also available in: Atom PDF